CVE-2019-18295 – This vulnerability in Siemens SPPA-T3000 MS3000... (How to Fix)

Q: What is the severity of CVE-2019-18295?

CVE-2019-18295 has a CVSS score of 9.8 (CRITICAL). This vulnerability in Siemens SPPA-T3000 MS3000 Migration Server allows attackers with network access to send specially crafted packets to port 5010/tcp, potentially causing denial-of-service or remote code execution. All versions of the MS3000 Migration Server are affected. Attackers must have network access to the target system to exploit this vulnerability.

📋 TL;DR

This vulnerability in Siemens SPPA-T3000 MS3000 Migration Server allows attackers with network access to send specially crafted packets to port 5010/tcp, potentially causing denial-of-service or remote code execution. All versions of the MS3000 Migration Server are affected. Attackers must have network access to the target system to exploit this vulnerability.

💻 Affected Systems

Products:

SPPA-T3000 MS3000 Migration Server

Versions: All versions

Operating Systems: Not specified in advisory

Default Config Vulnerable: ⚠️ Yes

Notes: The vulnerability affects the MS3000 Migration Server component specifically. Requires network access to port 5010/tcp.

📦 What is this software?

Sppa T3000 Ms3000 Migration Server by Siemens

View all CVEs affecting Sppa T3000 Ms3000 Migration Server →

⚠️ Manual Verification Required

This CVE does not have specific version information in our database, so automatic vulnerability detection cannot determine if your system is affected.

Why? The CVE database entry doesn't specify which versions are vulnerable (no version ranges provided by the vendor/NVD).

🔒 Custom verification scripts are available for registered users. Sign up free to download automated test scripts.

Recommended Actions:

Review the CVE details at NVD
Check vendor security advisories for your specific version
Test if the vulnerability is exploitable in your environment
Consider updating to the latest version as a precaution

⚠️ Risk & Real-World Impact

🔴

Worst Case

Remote code execution leading to complete system compromise, data theft, or disruption of industrial control operations.

🟠

Likely Case

Denial-of-service condition disrupting migration server functionality and potentially affecting industrial operations.

🟢

If Mitigated

No impact if proper network segmentation and access controls prevent attackers from reaching the vulnerable service.

🌐 Internet-Facing: HIGH - If exposed to the internet, attackers can directly exploit without internal access.

🏢 Internal Only: HIGH - Even internally, any compromised device or malicious insider could exploit this vulnerability.

🎯 Exploit Status

Public PoC: ⚠️ Yes

Weaponized: LIKELY

Unauthenticated Exploit: ⚠️ Yes

Complexity: LOW

Exploitation requires sending specifically crafted packets to port 5010/tcp. No authentication is required. Public proof-of-concept exists in Packet Storm Security references.

🛠️ Fix & Mitigation

✅ Official Fix

Patch Version: Not specified in available references - consult Siemens advisory for specific version

Vendor Advisory: https://cert-portal.siemens.com/productcert/pdf/ssa-451445.pdf

Restart Required: Yes

Instructions:

1. Consult Siemens security advisory SSA-451445. 2. Apply the recommended updates from Siemens. 3. Restart affected services/systems. 4. Verify the patch is applied successfully.

🔧 Temporary Workarounds

Network Segmentation

linux

Block access to port 5010/tcp from untrusted networks and restrict to necessary systems only.

firewall-cmd --permanent --add-rich-rule='rule family="ipv4" source address="TRUSTED_NETWORK" port protocol="tcp" port="5010" accept'
firewall-cmd --permanent --add-rich-rule='rule family="ipv4" port protocol="tcp" port="5010" drop'
firewall-cmd --reload

Windows Firewall Rule

windows

Create Windows firewall rule to block port 5010 from untrusted networks.

New-NetFirewallRule -DisplayName "Block MS3000 Port 5010" -Direction Inbound -LocalPort 5010 -Protocol TCP -Action Block

🧯 If You Can't Patch

Implement strict network segmentation to isolate MS3000 servers from untrusted networks
Deploy intrusion detection/prevention systems to monitor for exploitation attempts on port 5010

🔍 How to Verify

Check if Vulnerable:

Check if MS3000 Migration Server is running and listening on port 5010/tcp: netstat -an | grep 5010 or ss -tlnp | grep 5010

Check Version:

Consult Siemens documentation for version checking specific to SPPA-T3000 systems

Verify Fix Applied:

Verify patch version against Siemens advisory and confirm port 5010 is no longer vulnerable through security testing (with proper authorization).

📡 Detection & Monitoring

Log Indicators:

Unusual traffic patterns to port 5010
MS3000 service crashes or abnormal termination
Unexpected process execution on MS3000 server

Network Indicators:

Malformed packets to port 5010/tcp
High volume of connection attempts to port 5010
Traffic from unexpected sources to port 5010

SIEM Query:

destination_port=5010 AND (packet_size>normal OR protocol_anomaly=true) OR (process_name="ms3000" AND event_type="crash")

📊 Metadata

CVE ID: CVE-2019-18295

CVSS v3 Score: 9.8 (CRITICAL)

CVSS Vector: CVSS:3.1/AV:N/AC:L/PR:N/UI:N/S:U/C:H/I:H/A:H

CWE: CWE-122

Published: December 12, 2019

Last Updated: November 21, 2024

🔗 References

http://packetstormsecurity.com/files/155665/Siemens-Security-Advisory-SPPA-T3000-Code-Execution.html Third Party Advisory,VDB Entry
https://cert-portal.siemens.com/productcert/pdf/ssa-451445.pdf Mitigation,Vendor Advisory
http://packetstormsecurity.com/files/155665/Siemens-Security-Advisory-SPPA-T3000-Code-Execution.html Third Party Advisory,VDB Entry
https://cert-portal.siemens.com/productcert/pdf/ssa-451445.pdf Mitigation,Vendor Advisory

📤 Share & Export

📄 Export Markdown 📋 Export JSON

🔗 Related Vulnerabilities

If you're affected by CVE-2019-18295, you might also want to check these: